XSSSanatize java replacing special html characters

Hi All, During Security Audit, team has found that my application is executing script written inside string fields. I searched online and used XSSSanatize java action available in CommunityCommons module. This action replaces html strings like " to " I tried with different policies and all are working same. But for end user who enters a proper text with " inside doesnt want it to be converted like this. So could any one tell me if there is any option to avoid cross scripting for string input fields?
2 answers

From your description, it looks like XSSSanitize also escapes all HTML characters. According to Google, you can undo this by creating a Java action with a String input and String output and the following code:

return StringEscapeUtils.unescapeHtml4(input);

Be sure to add an import: import org.apache.commons.lang3.StringEscapeUtils;

Note1: I haven't actually tested this.

Note2: You should ensure that unescaping the HTML does not leave you vulnerable. XSSSanitize is controlled by policy files found in /projectfolder/resources/communitycommons/antisamy. You can manually edit these files to allow or disallow additional characters or elements.


Where is the string actually getting placed in your dom that it can be executed? It almost certainly is not a Mendix default widget, but rather some vulnerability in a custom widget.

For example, I've seen an XSS risk in the past on the DropDownDivConverter widget. It was using the value of an attribute directly as a label on a button. So, the fix was to escape that value before it was placed in the dom, like this: